A team from Princeton University has developed ways to break disk encryption, including Bitlocker, Truecrypt, Apple encryption, and Linux encryption, if the computer is in sleep mode or sitting at a password prompt, or even if it’s just been turned off.

Researchers with Princeton University and the Electronic Frontier Foundation have found a flaw that renders disk encryption systems useless if an intruder has physical access to your computer — say in the case of a stolen laptop or when a computer is left unattended on a desktop in sleep mode or while displaying a password prompt screen.

The attack takes only a few minutes to conduct and uses the disk encryption key that’s stored in the computer’s RAM.

The attack works because content as well as encryption keys stored in RAM linger in the system, even after the machine is powered off, enabling an attacker to use the key to collect any content still in RAM after reapplying power to the machine.

“We’ve broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers,” said J. Alex Halderman, one of the researchers, in a press release. “Unlike many security problems, this isn’t a minor flaw; it is a fundamental limitation in the way these systems were designed.”

The researchers successfully performed the attack on several disk encryption systems — Apple’s FileVault, Microsoft’s BitLocker, as well as TrueCrypt and dm-crypt — but said they have no reason to believe it won’t work on other disk encryption systems as well, since they all share similar architectures.

They released a paper about their work as well as a video demonstration of the attack (below).

Security is only a subset of why encryption software is deployed. Being able to denying negligence is the reason big corporations purchase the stuff. The sooner you realize nothing is secure the sooner news like this won’t impress you. Ugh.

As noted in the article, disabling booting from an external drive + a bios password is a good start for countermeasures, but it doesn’t mention if Apple’s “secure virtual memory” option (not on by default) would help against the search for the Filevault key.

On a separate note: to the Princeton researchers – Bravo, but discussing exploits before devising solutions causes more problems then the praise you receive? Didn’t joe-average-hacker already teach that lesson to Microsoft?! The real intelligence is coming up with a solution; something you should have done before promoting the average 13 year old into hardcore data thief. Thanks.